Add permission

Author: jasontedor

docs/reference/ccr/apis/follow/post-forget-follower.asciidoc

@@ -111,8 +111,8 @@ POST /<leader_index>/_ccr/forget_follower
 
 ==== Authorization
 
-If the {es} {security-features} are enabled, you must have `manage_follow_index`
-index privileges for the follower index. For more information, see
+If the {es} {security-features} are enabled, you must have `manage_leader_index`
+index privileges for the leader index. For more information, see
 {stack-ov}/security-privileges.html[Security privileges].
 
 ==== Example

x-pack/plugin/ccr/qa/security/follower-roles.yml

@@ -2,7 +2,7 @@ ccruser:
   cluster:
     - manage_ccr
   indices:
-    - names: [ 'allowed-index', 'logs-eu-*' ]
+    - names: [ 'allowed-index', 'forget-follower', 'logs-eu-*' ]
       privileges:
         - monitor
         - read

x-pack/plugin/ccr/qa/security/leader-roles.yml

@@ -2,7 +2,8 @@ ccruser:
   cluster:
     - read_ccr
   indices:
-    - names: [ 'allowed-index', 'logs-eu-*' ]
+    - names: [ 'allowed-index', 'forget-leader', 'logs-eu-*' ]
       privileges:
         - monitor
         - read
+        - manage_leader_index

x-pack/plugin/ccr/qa/security/src/test/java/org/elasticsearch/xpack/ccr/FollowIndexSecurityIT.java

@@ -6,21 +6,27 @@
 package org.elasticsearch.xpack.ccr;
 
 import org.elasticsearch.client.Request;
+import org.elasticsearch.client.Response;
 import org.elasticsearch.client.ResponseException;
 import org.elasticsearch.client.RestClient;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.settings.SecureString;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.common.xcontent.support.XContentMapValues;
+import org.elasticsearch.test.rest.yaml.ObjectPath;
 
+import java.io.IOException;
+import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
 
 import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue;
 import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.empty;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
 
 public class FollowIndexSecurityIT extends ESCCRRestTestCase {
@@ -176,4 +182,51 @@ public void testAutoFollowPatterns() throws Exception {
         pauseFollow(client(), allowedIndex);
     }
 
+    public void testForgetFollower() throws IOException {
+        final String forgetLeader = "forget-leader";
+        final String forgetFollower = "forget-follower";
+        if ("leader".equals(targetCluster)) {
+            logger.info("running against leader cluster");
+            final Settings indexSettings = Settings.builder()
+                    .put("index.number_of_replicas", 0)
+                    .put("index.number_of_shards", 1)
+                    .put("index.soft_deletes.enabled", true)
+                    .build();
+            createIndex(forgetLeader, indexSettings);
+        } else {
+            logger.info("running against follower cluster");
+            followIndex(client(), "leader_cluster", forgetLeader, forgetFollower);
+
+            final Response response = client().performRequest(new Request("GET", "/" + forgetFollower + "/_stats"));
+            final String followerIndexUUID = ObjectPath.createFromResponse(response).evaluate("indices." + forgetFollower + ".uuid");
+
+            assertOK(client().performRequest(new Request("POST", "/" + forgetFollower + "/_ccr/pause_follow")));
+
+            try (RestClient leaderClient = buildLeaderClient(restClientSettings())) {
+                final Request request = new Request("POST", "/" + forgetLeader + "/_ccr/forget_follower");
+                final String requestBody = "{" +
+                        "\"follower_cluster\":\"follow-cluster\"," +
+                        "\"follower_index\":\"" +  forgetFollower + "\"," +
+                        "\"follower_index_uuid\":\"" + followerIndexUUID + "\"," +
+                        "\"leader_remote_cluster\":\"leader_cluster\"" +
+                        "}";
+                request.setJsonEntity(requestBody);
+                logger.info(requestBody);
+                assertOK(leaderClient.performRequest(request));
+
+                final Request retentionLeasesRequest = new Request("GET", "/" + forgetLeader + "/_stats");
+                retentionLeasesRequest.addParameter("level", "shards");
+                final Response retentionLeasesResponse = leaderClient.performRequest(retentionLeasesRequest);
+                final ArrayList<Object> shardsStats =
+                        ObjectPath.createFromResponse(retentionLeasesResponse).evaluate("indices." + forgetLeader + ".shards.0");
+                assertThat(shardsStats, hasSize(1));
+                @SuppressWarnings("unchecked") final Map<String, Object> shardStatsAsMap = (Map<String, Object>)shardsStats.get(0);
+                @SuppressWarnings("unchecked") final Map<String, Object> retentionLeasesStats =
+                        (Map<String, Object>) shardStatsAsMap.get("retention_leases");
+                @SuppressWarnings("unchecked") final ArrayList<Object> leases = (ArrayList<Object>)retentionLeasesStats.get("leases");
+                assertThat(leases, empty());
+            }
+        }
+    }
+
 }

x-pack/plugin/ccr/qa/src/main/java/org/elasticsearch/xpack/ccr/ESCCRRestTestCase.java

@@ -255,16 +255,25 @@ protected RestClient buildLeaderClient() throws IOException {
         return buildClient(System.getProperty("tests.leader_host"));
     }
 
+    protected RestClient buildLeaderClient(final Settings settings) throws IOException {
+        assert "leader".equals(targetCluster) == false;
+        return buildClient(System.getProperty("tests.leader_host"), settings);
+    }
+
     protected RestClient buildMiddleClient() throws IOException {
         assert "middle".equals(targetCluster) == false;
         return buildClient(System.getProperty("tests.middle_host"));
     }
 
     private RestClient buildClient(final String url) throws IOException {
+        return buildClient(url, restAdminSettings());
+    }
+
+    private RestClient buildClient(final String url, final Settings settings) throws IOException {
         int portSeparator = url.lastIndexOf(':');
         HttpHost httpHost = new HttpHost(url.substring(0, portSeparator),
-            Integer.parseInt(url.substring(portSeparator + 1)), getProtocol());
-        return buildClient(restAdminSettings(), new HttpHost[]{httpHost});
+                Integer.parseInt(url.substring(portSeparator + 1)), getProtocol());
+        return buildClient(settings, new HttpHost[]{httpHost});
     }
 
 }

x-pack/plugin/ccr/src/main/java/org/elasticsearch/xpack/ccr/action/TransportForgetFollowerAction.java

@@ -56,7 +56,7 @@ public TransportForgetFollowerAction(
             final IndexNameExpressionResolver indexNameExpressionResolver,
             final IndicesService indicesService) {
         super(
-                ForgetFollowerAction.ACTION_NAME,
+                ForgetFollowerAction.NAME,
                 Objects.requireNonNull(clusterService),
                 Objects.requireNonNull(transportService),
                 Objects.requireNonNull(actionFilters),

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ccr/action/ForgetFollowerAction.java

@@ -21,11 +21,11 @@
 
 public class ForgetFollowerAction extends Action<BroadcastResponse> {
 
-    public static final String ACTION_NAME = "indices:admin/xpack/ccr/forget_follower";
+    public static final String NAME = "indices:admin/xpack/ccr/forget_follower";
     public static final ForgetFollowerAction INSTANCE = new ForgetFollowerAction();
 
     private ForgetFollowerAction() {
-        super(ACTION_NAME);
+        super(NAME);
     }
 
     @Override
@@ -44,7 +44,7 @@ public static class Request extends BroadcastRequest<Request> {
         private static final ParseField FOLLOWER_INDEX_UUID = new ParseField("follower_index_uuid");
         private static final ParseField LEADER_REMOTE_CLUSTER = new ParseField("leader_remote_cluster");
 
-        private static final ObjectParser<String[], Void> PARSER = new ObjectParser<>(ACTION_NAME, () -> new String[4]);
+        private static final ObjectParser<String[], Void> PARSER = new ObjectParser<>(NAME, () -> new String[4]);
 
         static {
             PARSER.declareString((parameters, value) -> parameters[0] = value, FOLLOWER_CLUSTER);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/IndexPrivilege.java

@@ -22,6 +22,7 @@
 import org.elasticsearch.action.admin.indices.validate.query.ValidateQueryAction;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.collect.MapBuilder;
+import org.elasticsearch.xpack.core.ccr.action.ForgetFollowerAction;
 import org.elasticsearch.xpack.core.ccr.action.PutFollowAction;
 import org.elasticsearch.xpack.core.ccr.action.UnfollowAction;
 import org.elasticsearch.xpack.core.indexlifecycle.action.ExplainLifecycleAction;
@@ -62,6 +63,7 @@ public final class IndexPrivilege extends Privilege {
             ExplainLifecycleAction.NAME);
     private static final Automaton MANAGE_FOLLOW_INDEX_AUTOMATON = patterns(PutFollowAction.NAME, UnfollowAction.NAME,
         CloseIndexAction.NAME + "*");
+    private static final Automaton MANAGE_LEADER_INDEX_AUTOMATON = patterns(ForgetFollowerAction.NAME);
     private static final Automaton MANAGE_ILM_AUTOMATON = patterns("indices:admin/ilm/*");
 
     public static final IndexPrivilege NONE =                new IndexPrivilege("none",                Automatons.EMPTY);
@@ -78,6 +80,7 @@ public final class IndexPrivilege extends Privilege {
     public static final IndexPrivilege CREATE_INDEX =        new IndexPrivilege("create_index",        CREATE_INDEX_AUTOMATON);
     public static final IndexPrivilege VIEW_METADATA =       new IndexPrivilege("view_index_metadata", VIEW_METADATA_AUTOMATON);
     public static final IndexPrivilege MANAGE_FOLLOW_INDEX = new IndexPrivilege("manage_follow_index", MANAGE_FOLLOW_INDEX_AUTOMATON);
+    public static final IndexPrivilege MANAGE_LEADER_INDEX = new IndexPrivilege("manage_leader_index", MANAGE_LEADER_INDEX_AUTOMATON);
     public static final IndexPrivilege MANAGE_ILM =          new IndexPrivilege("manage_ilm",          MANAGE_ILM_AUTOMATON);
 
     private static final Map<String, IndexPrivilege> VALUES = MapBuilder.<String, IndexPrivilege>newMapBuilder()
@@ -95,6 +98,7 @@ public final class IndexPrivilege extends Privilege {
             .put("view_index_metadata", VIEW_METADATA)
             .put("read_cross_cluster", READ_CROSS_CLUSTER)
             .put("manage_follow_index", MANAGE_FOLLOW_INDEX)
+            .put("manage_leader_index", MANAGE_LEADER_INDEX)
             .put("manage_ilm", MANAGE_ILM)
             .immutableMap();